“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating.”
That Monday evening tweet from Matthew Prince, the cofounder and CEO of CloudFlare, signaled what’s being touted as the largest distributed denial of service attack ever launched on the Internet.
The attackers leveraged a known vulnerability in the Internet’s infrastructure to mount an assault on CloudFlare’s data centers in Europe and the United States that reached bandwidths of 400 gigabits per second.
The motives of the attackers are as yet unknown, but they don’t seem to be politically inspired.
“I would definitely not categorize it as a hacktivist type of activity,” said Marc Gaffan, cofounder of Incapsula. One of its clients was targeted in the attack.
“It’s definitely a business-driven initiative,” Gaffan told the E-Commerce Times. “It’s someone trying to take down a service for commercial reasons.”
The attack on Monday exploited a known vulnerability in software that is a key component of the Internet’s infrastructure: Network Timing Protocol servers.
“Those servers are vital to a number of functions,” said Scott Hazdra, a principal security consultant at Neohapsis.
“If two computers can’t agree on the same time, there will be problems with things they might try to do,” he told the E-Commerce Times. “They might have problems encrypting traffic. NTP is also critical in maintaining accurate logging and monitoring.”
Monday’s DDoS barrage did not come without warning. A group called “DERP Trolling” has been using NTP amplification to attack video game sites. U.S. CERT issued a warning about the attack method in January and updated it in February.
The attack exploits the “monlist” command in NTP server software before version 4.2.7, according to CERT.
“The basic attack technique consists of an attacker sending a ‘get monlist’ request to a vulnerable NTP server, with the source address spoofed to be the victim’s address,” CERT explained in an alert posted to the Internet.
Monlist allows a list of the last 600 IP addresses that connected to the NTP server to be sent to a victim. Due to the spoofed source address, when the NTP server sends the response, it is sent instead to the victim, CERT explained.
“Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” CERT said.
Making matters worse, CERT continued, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.
To prevent an NTP server from being used in a DDoS attack, CERT recommends that administrators upgrade their NTP server software to the latest version of the program, or turn off monlist, which is turned on by default in older systems.
That is easier to do in theory than in practice, though. There are some 3,000 public NTP servers on the Net and numerous others on smaller networks. The software on those servers isn’t kept current for a number of reasons — from administrative workloads to neglect.
“It’s very difficult to defend against people or organizations that put insecure servers on the Internet,” said Neohapsis’ Hazdra. “There’s always going to be people who set something up and don’t maintain it.”
However, following Monday’s attack, there will be more reason than ever for administrators to lock down their NTP servers.
“Once an attack like this is seen to be successful by the chaotic actors, they will continue to try to exploit it,” Daniel Shugrue, a product marketing manager with Akamai Technologies, told the E-Commerce Times.
Exploiting vulnerabilities in the Internet’s infrastructure is an issue that should concern everyone who uses the Net.
“Previous DDoS attacks were brute force attacks with spam, creating lots of traffic to take down a system,” explained Eric Chiu, president and founder of HyTrust.
“If you can make that easier by using the fundamental building blocks of the Internet against itself, that’s even scarier,” he told the E-Commerce Times. “Who knows how many of these vulnerabilities exist? How many other building blocks of network infrastructure, of server systems, can be used for a similar thing?”